ID Verification: Red Flags and Customer ID Programs

If you have followed the news at all lately, you have likely heard that financial institutions of all stripes are coming under greater scrutiny, with proposals for ever-tighter regulation still on the horizon. This includes not only bank lending and deposit activities, but also the manner in which all institutions vet their clients - former, current and future. In large part this is an attempt to mitigate identity theft. Creative identity thieves have been able to steal personal identification information  from thousands of accounts. Creating false identities and fake ID Documents to open new lines of credit has become easier than ever.

Current legislation is being revised by government and regulatory agencies like FinCen to strengthen both identity verification requirements and beef up penalties for lapses in compliance. In this post, we will conduct an overview of the most relevant legislative acts, and go into more detailed discussions of them in our follow-up posts..

 Red Flags Rule

Established in 2003 under the rubric of the FACTA (Fair and Accurate Credit Transactions) Act, the Red Flags Rule is the business-facing component of the mostly consumer-oriented set of laws. Although still relatively benign compared to more recent stringent regulations, the “Red Flags” rule for the first time compelled banks to set up measures to identify and deter identity theft.

In practice this meant figuring out the accounts most susceptible to identity theft -- those set up by residents of high-risk countries, for instance, whether the accounts themselves are set up Stateside or abroad; or accounts showing suspicious activity, such as unusually high or frequent transactions. Under the rule, business practices also have to incorporate detection and deterrence of these so-called “Red Flags” of identity theft. Plans have to be laid out and enabled on specific steps to mitigate identity fraud, and to keep abreast of the latest changes to the rule.

Title 31 / Bank Secrecy Act

Whenever financial institutions talk about “the big one” in identity verification, they almost always mean the Bank Secrecy Act. Applicable at first to casinos with over $1 million in gaming revenue, it required monitoring monetary transactions - deposits, withdrawals, transfers - for any suspicious activity. Transactions like structured deposits or withdrawals, seemingly to avoid the $10,000 threshold for reporting, in some instances are acts of money laundering, precisely the sort of thing the BSA was designed to combat.

Since its inception, the BSA has been amended to cover not only casinos, but also many of the institutions that extend lines of credit to their customers. It has also been strengthened in portions covering identity verification requirements -- as a lot of the individuals illegally moving money through the financial systems understandably do not want to be identified. The most current iteration of the BSA requires financial institutions to perform “customer due diligence” by ensuring that individuals conducting transactions are, in fact, who they claim to be.

Customer Identification Program

As part of Bank Secrecy Act compliance, financial firms must also verify the identity and the "beneficial owners"  of new accounts, and also go a step beyond in cross-checking them against watch lists of nationals from certain targeted countries, suspected terrorists or narcotics traffickers. Such individuals are known as Specially Designated Nationals (SDNs), and are maintained on a list held by the Treasury Department’s Office of Foreign Assets Control. Their assets are typically frozen within theUnited States, and U.S business are prohibited in engaging in any business with them. Needless to say, financial penalties are steep for businesses found in violation of this program!

Effective compliance requires not only following the program guidelines, but also capably distinguishing between genuine identity documents and forged ones - no small feat, given the plethora of different identity documents in the U.S. alone. For larger organizations, it also means fast and efficient methods of cross-checking account owner names against the government watch lists. The right solution for your businesses depends on what type of business you are typically engaged in, and which of the above rules apply to you. But regardless of which solution you choose, make sure you supplement it with a good dose of vigilance - watching for trends in identity fraud just around the corner - and preparation.